Linux Distros Unpatched Vulnerability : CVE-2024-45296

🗓️ 05 Mar 2025 00:00:00Reported by TenableType

Linux host has unpatched vulnerability CVE-2024-45296 affecting performance and security.

Reporter	Title	Published	Views	Family All 168
IBM Security Bulletins	Security Bulletin: IBM Security QRadar Analyst Workflow for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	8 Jan 202518:32	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in path-to-regexp affects watsonx.data	30 Jan 202514:24	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in Cloud Pak foundational services are addressed with IBM Cloud Pak for Business Automation 24.0.1-IF001	28 Feb 202509:11	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to pillarjs Path-to-RegExp (CVE-2024-45296).	28 Jan 202522:08	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data (February 2025)	15 Apr 202503:52	–	ibm
IBM Security Bulletins	Security Bulletin: Denial of service, DNS poisoning, and information disclosure might affect IBM Storage Defender – Resiliency Service	31 Oct 202416:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Product Hub is affected by several vulnerabilities	11 Dec 202422:59	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion HCI and IBM Fusion HCI for watsonx	31 May 202514:07	–	ibm
IBM Security Bulletins	Security Bulletin: A pillarjs path-to-regexp vulnerability affects IBM Safer Payments (CVE-2024-45296)	28 Jan 202522:08	–	ibm

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2024-45296
ubuntu	www.ubuntu.com/security/CVE-2024-45296
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(229239);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/03");

  script_cve_id("CVE-2024-45296");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2024-45296");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output
    a regular expression that can be exploited to cause poor performance. Because JavaScript is single
    threaded and regex matching runs on the main thread, poor performance will block the event loop and lead
    to a DoS. The bad regular expression is generated any time you have two parameters within a single
    segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other
    users should upgrade to 8.0.0. (CVE-2024-45296)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-45296");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2024-45296");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-45296");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:26.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:node-express");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:node-path-to-regexp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:node-path-to-regexp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("set_linux_os_id.nasl", "ssh_get_info2.nasl");
  script_require_keys("Host/OS/identifier", "Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Ubuntu Linux-25.04", "Host/OS/Ubuntu Linux-25.10", "Host/OS/Ubuntu Linux-26.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "node-path-to-regexp"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "node-path-to-regexp"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "node-express"}
        ]
      }
    ]
  },
  "Ubuntu Linux-26.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "26.04",
        "pkgs": [
          {"reference": "node-express"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.04",
        "pkgs": [
          {"reference": "node-express"},
          {"reference": "node-path-to-regexp"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

03 Jun 2026 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.17.5

EPSS0.00066

SSVC